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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 
All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1 308. 

1 . lEI This communication is responsive to Applicants' amendmendments filed 20 April and 26 April 2010. 

2. ^ The allowed claim(s) is/are 1-4.6-21 and 23-30 . 

3. □ Acknowledgment is madeof a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a) □ All b) □ Some* c) □ None of the: 

1 . □ Certified copies of the priority documents have been received. 

2. □ Certified copies of the priority documents have been received in Application No. . 

3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-IUIONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1 ) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1.84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 
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attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 
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DETAILED ACTION 

This Office Action is in response to the Applicants amendments filed 14 January 2010 and 20 April 2010 and 
interviews with the Applicants' Representative, Dalei Dong, on 20 April 2010 and 26 April 2010. Claims 1-3, 
9, 13, 16, 17, 19, and 20 are amended herein, and Claims 1-4, 6-21, and 23-30 are currently pending and 
allowed below. 

EXAMINER'S AMENDMENT 

1. An Examiner's amendment to the record appears below. Should the changes and/or additions be 
unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure 
consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. 
Authorization for this Examiner's amendment was given in a telephone interview with Applicants' 
Representative, Dalei Dong on 20 April 2010 and 26 April 2010. 
The application has been amended as follows: 
In the Claim(s): 

1 . (Currently Amended) A computer-implemented method for an enterprise to assess risks associated with an 
outside service provider, the method comprising: 

identifying, via an user interface, outside service provider information that describes the outside service 

provider; 

storing the outside service provider information in a database; 

identifying, via the user interface, resource information that describes resources of the enterprise associated 
with services provided by the outside service provider; 

storing the resource information in the database; 

assessing, via computer server, [[an]] i mpact a risk on the enterprise from a degradation of the services from 
the outside service provider, wherein assessing the i mpact risk on the enterprise comprises assessing a business 
i mpact risk on the enterprise and assessing a country i mpact risk on the enterprise. 



Application/Control Number: 10/664,283 Page 3 

Art Unit: 3624 

wherein assessing the business i mpac t risk on the enterprise further comprises: 

assessing an impact on external customers of the enterprise resulting from the degradation of the 
services from the outside service provider; 

assessing an impact on internal customers of the enterprise resulting from the degradation of the 
services from the outside service provider, wherein the internal customers of the enterprise include at least a p efsoR 
customer implementing one or more internal applications of the enterprise: 

assessing a financial impact resulting from the degradation of the services from the outside service 

provider; 

assessing an allowable time period that the degradation of the services from the outside service 
provider can last; and 

assessing an impact on regulatory obligations resulting from the degradation of the services from 
the outside service provider, wherein the impact on regulatory obligation includes a financial penalty ; 
storing the assessment in the database; 

automatically determining, via the server, a criticality of the outside service provider in response to the 
assessment; 

storing the criticality in the database; and 

providing, via the user interface, status data from the database, wherein the status data comprises at least 
one of a status of: 

the resource information; 
the assessment; and 
the criticality. 

2. (Currently Amended) The method of claim 1 , wherein the step of assessing the country i mpact risk 
on the enterprise further comprises: 

Identifying countries in which the outside service provider operates; and 

determining a country impact risk associated with the identified countries, wherein the step of automatically 
determining the criticality is also in response to the country impact risk. 
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3. (Currently Amended) The method according to claim 2, wherein the step of determining a country 
impact risk associated with the identified country further comprises: 

collecting economic condition information with respect to the identified country; 

storing the economic condition information in the database; 

collecting social condition information with respect to the identified country; 

storing the social condition information in the database; 

collecting political condition information with respect to the identified country; 

add storing the political condition information in the database. 

4. (Original) The method according to claim 1 , wherein at least one of the resources of the enterprise 
includes at least one software application employed by the enterprise. 

5. (Canceled) 

6. (Original) The method according to claim 1 , further comprising: 

assigning specific people to fulfill roles with respect to management of a relationship with the outside service 
provider, wherein the roles include at least one of information owner and information risk manager. 

7. (Original) The method according to claim 6, further comprising: 

receiving acknowledgements of the acceptances of the assignments from the specific people. 

8. (Original) The method according to claim 6, further comprising: 
assigning alternate people to fulfill the roles. 
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9. (Currently amended) The method according to claim 6, wherein the role of the information owner 
comprises at least one of: 

obtaining from the outside service provider copies of financial and non-financial audit reports; 

obtaining documentation describing the outside service provider's procedural, physical access, logical 
access and business recovery controls; 

requiring notification by the outside service provider of any organization, security-related and other changes 
affecting the availability, confidentiality, or Integrity of the services provided by the outside service provider; and 

initiating [[the]] a risk assessment process. 

10. (Original) The method according to claim 6, wherein the role of information risk manager 
comprises at least one of: 

maintaining an updated list of outside service providers used by the enterprise; and 
allocating resources for the outside service provider assessment process. 

1 1 . (Original) The method according to claim 1 , wherein all of the steps of the method are facilitated 
using a software application, the method further comprising: 

generating data input screens for accepting input from a user; and 

providing drop down boxes on the data input screens in order to facilitate selection of predefined 
information. 

12. (Original) The method according to claim 1 , further comprising assessing a recovery plan of the 
outside service provider. 

13. (Currently Amended) The method according to claim 12, wherein the assessment of the outside 
service provider recovery plan further comprises: 

questioning [[the]] a developer of the recovery plan as to whether It has required elements; and 
developing a corrective action plan to address missing required elements. 
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14. (Original) The method according to claim 13, wherein the required elements include: 
an alternate site for providing the services; and 

a business continuity plan for resumption of the services at the alternate site. 

1 5. (Original) The method according to claim 1 , wherein the step of providing status data further 
comprises: 

providing status data on the enterprise level; providing status data on a line of business level; and 
providing status data on a department level. 

16. (Currently Amended) The method according to claim 1 , wherein the enterprise has policies and 
procedures for protecting [[the]] an integrity of provision of services, the method further comprising assessing a 
compliance of the outside service provider to the policies and procedures. 

17. (Currently Amended) The method according to claim 16, further comprising developing a 
corrective action plan if the outside service provider is not in compliance, the corrective action plan containing [[the]] 
steps required to bring the outside service provider into compliance. 

18. (Original) The method according to claim 17, further comprising obtaining an acknowledgement by 
management of the enterprise of risk associated with the non-compliance of the outside service provider. 

1 9. (Currently Amended) A system for an enterprise to assess risks associated with an outside service 
provider comprising: 

a user interface for interfacing with users of the system; 

at least one computer database server and at least one computer application server coupled to the user 
interface; and 

at least one database and at least one application respectively coupled to the computer database server and 

the computer application server; 
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wherein the system is programmed to: 

accept outside service provider information that describes the outside service provider; 
store the outside service provider information in a database; 

accept resource information that describes resources of the enterprise associated with services 
provided by the outside service provider; 

store the resource information in the database; 

assess an impact risk on the enterprise from a degradation of the services from the outside service 
provider, wherein assess the risk on the enterprise comprises ass e ss assessing a business risk on the enterprise and 
assess a country impact risk on the enterprise^ 

wherein assessing the business risk on the enterprise comprises: 

an assessment of an impact on external customers of the enterprise resulting from the degradation 
of the services from the outside service provider; 

an assessment of an impact on internal customers of the enterprise resulting from the degradation 
of the services from the outside service provider, wherein the internal customers of the enterprise include at least a 
eeree ft customer implementing one or more internal applications of the enterprise: 

an assessment of a financial impact resulting from the degradation of the services from the outside 

service provider; 

an assessment of an allowable time period that the degradation of the services from the outside 
service provider can last; and 

an assessment of an impact on regulatory obligations resulting from the degradation of the services 
from the outside service provider, wherein the impact on regulatory obligation includes a financial penalty; 

store the assessment in the database; 

automatically determine a criticality of the outside service provider in response to the assessment; 
store the criticality in the database; and 

provide status data from the database, wherein the status data comprises at least one of a status of 
the resource information, the assessment, and the criticality. 
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20. (Currently Amended) The system of claim 1 9, wherein the assessment of the country impact risk 
on the enterprise further comprises: 

accept countries in which the outside service provider operates; and 

determine a country impact risk associated with the countries, wherein the step of automatically determining 
the criticality is also in response to the country impact risk. 

21. (Original) The system according to claim 19, wherein at least one of the resources of the 
enterprise includes at least one software application employed by the enterprise. 

22. (Canceled) 

23. (Original) The system according to claim 19, wherein the database further includes: 

an assignment of specific people to fulfill roles with respect to management of a relationship with the outside 
service provider, wherein the roles include at least one of information owner and information risk manager. 

24. (Original) The system according to claim 23, wherein the database further includes: 
acknowledgements of the acceptances of the assignments from the specific people. 

25. (Original) The system according to claim 23, wherein the database further includes: 
an assignment of alternate people to fulfill the roles. 

26. (Original) The system according to claim 19, wherein the system is further programmed to assess 
a recovery plan of the outside service provider. 

27. (Original) The system according to claim 26, wherein the user interface is used to collect 
responses from the developer of the recovery plan as to whether it has required elements, and to collect a corrective 
action plan to address missing required elements. 
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28. (Original) The system according to claim 27, wherein the required elements include: 

an alternate site for providing the services; and a business continuity plan for resumption of the services at 
the alternate site. 

29. (Original) The system according to claim 19, wherein the status data further comprises: 

status data on the enterprise level; status data on a line of business level; and status data on a department 

level. 

30. (Original) The system according to claim 19, wherein the user interface further comprises: 

data input screens for accepting input from a user; and drop down boxes on the data input screens 
in order to facilitate selection of predefined information. 

1 . The following is an Examiner's statement of reasons for allowance: 

The present invention is directed to a method and system for an enterprise to assess risks 
associated with an outside service provider. The closest prior art, Callahan (U.S. Pub. No. 2003/0229525 in 
view of Bott (U.S. 6,856,973) and in further view of Borgia et al. (Borgia) (U.S. Pub. No. 2002/0129221 ) fail 
to teach either singularly or in combination a method and system for an enterprise to assess risks 
associated with an outside service provider. The analogous art of Callahan is directed to an integrated 
compliance monitoring method for organizations. The analogous art of Bott is directed to assessing 
creditworthiness of a country. The analogous art of Bott is directed to tracking compliance with policies 
related to management of risk. Although Callahan, Bott, and Borgia generally teach risk management, 
Callahan in view of Bott and in further view of Borgia fail to teach either singularly or in combination a 
method and system for: 

an enterprise to assess risks associated with an outside service provider, the method comprising: 
identifying, via an user interface, outside service provider information that describes the outside service 
provider; 

storing the outside service provider information in a database; 
identifying, via the user interface, resource information that describes resources of the 
enterprise associated with services provided by the outside service provider; 
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storing the resource information in the database; 

assessing, via computer server, a risk on the enterprise from a degradation of the services 
from the outside service provider, wherein assessing the nsk on the enterprise comprises assessing a 
business nsk on the enterprise and assessing a country risk on the enterprise, wherein assessing the 
business nsk on the enterprise further comprises: 

assessing an impact on external customers of the enterprise resulting from the 
degradation of the services from the outside service provider; 

assessing an impact on internal customers of the enterprise resulting from the degradation 
of the services from the outside service provider, wherein the internal customers of the enterprise include at 
least a customer implementing one or more internal applications of the enterprise; 

assessing a financial impact resulting from the degradation of the services from the 
outside service provider; 

assessing an allowable time period that the degradation of the services from the outside 
service provider can last; and 

assessing an impact on regulatory obligations resulting from the degradation of the 
services from the outside service provider, wherein the impact on regulatory obligation includes a financial 
penalty; 

storing the assessment in the database; 

automatically determining, via the computer server, a criticality of the outside service 
provider in response to the assessment; 

storing the criticality in the database; and 

providing, via the user interface, status data from the database, wherein the status data 
comprises at least one of a status of: 

the resource information; 
the assessment; 
and the criticality. 



Application/Control Number: 10/664,283 
Art Unit: 3624 

Conclusion 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue 
fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should 
be clearly labeled "Comments on Statement of Reasons for Allowance." 

/Jonathan G. Sterrett/ 

Primary Examiner, Art Unit 3623 
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Any inquiry concerning this communication or earlier communications from the examiner should be directed 
to THOMAS MANSFIELD whose telephone number is (571)270-1904. The examiner can normally be reached on 
Monday-Thursday 8:30 am-6 pm, alt. Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Boswell Beth 
can be reached on 571-272-6737. The fax phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application Information 
Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or 
Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more 
information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the 
Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like 
assistance from a USPTO Customer Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

IT. M.I 

Examiner, Art Unit 3624 

7 May 2010 
Thomas Mansfield 



